Bug 220640

Summary:

[ipfw][patch] ipfw drops GRE over IPv6 packets

Product:

Base System

Reporter:

Kun Xie <kxie>

Component:

kern

Assignee:

Philip Paeps <philip>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

emaste, philip

Priority:

---

Keywords:

patch

Version:

9.3-STABLE

Flags:

philip: mfc-stable11+
philip: mfc-stable10+
philip: mfc-stable9+

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
Add IPPROTO_GRE to IPv6 protocol case list in ipfw_chk()	none

Description Kun Xie 2017-07-11 16:23:50 UTC

Created attachment 184263 [details]
Add IPPROTO_GRE to IPv6 protocol case list in ipfw_chk()

FreeBSD supports GRE over IPv6 tunnel, but if ipfw module is loaded, 
ipfw_chk() searches the extension headers of IPv6 to get upper layer protocols.

There are a lot of protocols, but GRE is not one of them, so the GRE packets will be dropped if the sysctl 'net.inet6.ip6.fw.deny_unknown_exthdrs' is enabled, and unfortunately this option is set to 1 by default.

Our working environment is 9.3-STABLE, but we checked FreeBSD 11-RELEASE and FreeBSD-current and they share the same problem.

Attached patch simply adds IPPROTO_GRE to IPv6 protocol case list in ipfw_chk() and pulls up the mbuf. With patch applied, GRE over IPv6 tunnel can work with ipfw module enabled.

Comment 1 commit-hook freebsd_committer

2017-07-13 09:02:19 UTC

A commit references this bug:

Author: philip
Date: Thu Jul 13 09:01:22 UTC 2017
New revision: 320941
URL: https://svnweb.freebsd.org/changeset/base/320941

Log:
  Fix GRE over IPv6 tunnels with IPFW

  Previously, GRE packets in IPv6 tunnels would be dropped by IPFW (unless
  net.inet6.ip6.fw.deny_unknown_exthdrs was unset).

  PR:		220640
  Submitted by:	Kun Xie <kxie@xiplink.com>
  MFC after:	1 week

Changes:
  head/sys/netpfil/ipfw/ip_fw2.c

Comment 2 Philip Paeps freebsd_committer

2017-07-13 09:07:56 UTC

I've committed this to HEAD with minor changes (struct gre_h was renamed to struct grehdr in r274246).  I'll merge to 11-STABLE, 10-STABLE and 9-STABLE next week.

Comment 3 commit-hook freebsd_committer

2017-07-31 19:48:43 UTC

A commit references this bug:

Author: philip
Date: Mon Jul 31 19:48:29 UTC 2017
New revision: 321811
URL: https://svnweb.freebsd.org/changeset/base/321811

Log:
  MFC r320941: Fix GRE over IPv6 tunnels with IPFW

  Previously, GRE packets in IPv6 tunnels would be dropped by IPFW (unless
  net.inet6.ip6.fw.deny_unknown_exthdrs was unset).

  PR:		220640
  Submitted by:	Kun Xie <kxie@xiplink.com>

Changes:
_U  stable/11/
  stable/11/sys/netpfil/ipfw/ip_fw2.c

Comment 4 commit-hook freebsd_committer

2017-08-01 13:16:28 UTC

A commit references this bug:

Author: philip
Date: Tue Aug  1 13:15:30 UTC 2017
New revision: 321873
URL: https://svnweb.freebsd.org/changeset/base/321873

Log:
  MFC r320941: Fix GRE over IPv6 tunnels with IPFW

  Previously, GRE packets in IPv6 tunnels would be dropped by IPFW (unless
  net.inet6.ip6.fw.deny_unknown_exthdrs was unset).

  PR:           220640
  Submitted by: Kun Xie <kxie@xiplink.com>

Changes:
_U  stable/10/
  stable/10/sys/netpfil/ipfw/ip_fw2.c

Comment 5 commit-hook freebsd_committer

2017-08-01 13:40:48 UTC

A commit references this bug:

Author: philip
Date: Tue Aug  1 13:40:38 UTC 2017
New revision: 321874
URL: https://svnweb.freebsd.org/changeset/base/321874

Log:
  MFC r320941: Fix GRE over IPv6 tunnels with IPFW

  Previously, GRE packets in IPv6 tunnels would be dropped by IPFW (unless
  net.inet6.ip6.fw.deny_unknown_exthdrs was unset).

  PR:		220640
  Submitted by:	Kun Xie <kxie@xiplink.com>

Changes:
_U  stable/9/sys/
_U  stable/9/sys/netpfil/
  stable/9/sys/netpfil/ipfw/ip_fw2.c